Secure Card Reader

ABSTRACT

A secure card reader ( 1 ) includes several security measures. Access to the reader&#39;s main circuitry is prevented by an enclosure ( 9 ) whose walls contain embedded i conductive paths ( 18   a   , 18   b   , 18   c ). Breaking or grounding of one of these paths can be detected electronically. A similar arrangement of conductive paths prevent enlarging of a card receiving slot ( 9   c ) If tampering is detected using the embedded conductive paths ( 18   a,    18   b   , 18   c ), the reader&#39;s memory ( 69 ) is wiped. The enclosure ( 9 ) has apertures ( 20 ) in its walls and is held in place by a potting material that extends into the apertures. Means ( 31, 35 ) is also provided to detect attempts to probe behind a keypad membrane ( 7 ). The contacts ( 42 ) for the chip of a chip card are arranged so that their leads all extend away from the card insertion slot.

The present invention relates to a secure card reader and, moreparticularly, to various security features that may be employedindividually or in combinations.

Card readers for reading credit cards or the like are a familiar featureof modern life. In order for commerce to proceed using such devices, thedevices must be secure so that they cannot be manipulated to facilitatefraudulent transactions.

US-A-2004/0120101 discloses a card reader in which circuitry is enclosedin a tamper-detecting enclosure. However, the chip card contact moduleis mounted outside of the tamper-detecting enclosure.

According to a first aspect of the present invention, there is providedan apparatus comprising a wall with an aperture in it, wherein at leaston taper detection conductor path is embedded in said wall around theaperture for detection of widening of the aperture. Thus, an article,for example a chip card, can be inserted into a secure device withoutthe risk of an attack involving enlarging the aperture to allow thearticle to be inserted with wires or other data extraction devicesattached thereto.

Preferably, the wall is a wall of an anti-tamper enclosure having atleast one tamper detection conductive path embedded therein, anelectronic circuit is located within the enclosure and object receivingmeans, within the enclosure and aligned with the aperture, the aperturebeing configured to allow insertion of an object for which the objectreceiving means is configured. More preferably, the object receivingmeans serves as an anti-probing barrier behind the aperture preventingaccess to said electronic circuit. The aperture may be configured forendways insertion of a credit card, in which case the object receivingmeans is a chip card contact module.

The conductive path or paths preferably extend across the whole of theenclosure such that cutting through the enclosure, to make electricalcontact with the circuit, without breaking or grounding an embeddedconductive path is substantially impracticable.

The conductive path or paths are arranged in a plurality of layers suchthat conductors in different layers are offset relative to each other.In other words, gaps between conductors in one layer are blocked byconductors in one or more other layers.

The enclosure may be assembled from a plurality of printed circuitboards, which can optionally be electrically connected and/or connectedby an interlocking mechanical joint.

The electronic circuit may comprise means for feeding current througheach conductive path and detecting disturbances thereof.

The electronic circuit may comprise a multi-layer printed circuit boardhaving a first face on which components are mounted, a second face onwhich no components are mounted. The conductors carrying signals betweensaid components are preferably separated from the second face by atamper detection conductive path.

According to a second aspect of the present invention, there is providedan apparatus comprising a housing member and an enclosure fixed in thehousing member by a potting material, wherein the enclosure includesholes, which may be through holes into which the potting materialextends.

Preferably, the enclosure has an opening on one side and the opening iscovered by a housing member. More preferably, the holes are providedaround the rim of the opening, which may be received in a channelincluded in the housing member.

According to a third aspect of the present invention, there is providedan apparatus comprising;

-   -   a first housing shell having holes;    -   a second housing shell press-fitted to the first shell; and    -   a keypad membrane located in the first shell such that its keys        extend through said holes,    -   wherein a wall is provided in the first or second shell to form        a barrier between the seam between the shells and the membrane.

According to a fourth aspect of the present invention, there is provideda chip card contact module comprising a plurality of conductors leadingfrom respective contacts, wherein none of the conductors leads from acontact in a direction opposite to any other.

The contact module preferably has a card input side into which a cardcan be inserted for reading, wherein none of said conductors leads froma contact towards the card input side. The contacts may be arranged intwo rows comprising a front row and a back row, the front row beingnearer the card input side than is the back row. Preferably, theconductors from the back row lead directly away from the card input sideand the conductors from the front row diverge and then lead directlyaway from the card input slot.

According to a fourth aspect of the present invention, there is provideda keypad comprising a flexible membrane overlying a circuit board, theflexible membrane having a first set of conductive elements forconnecting tracks on the circuit board so as to form push to makeswitches and a second set of conductive elements connecting tracks onthe circuit board.

Preferably, the conductive elements of the first set are located inrespective recesses aligned with respective buttons. More preferably,the conductive elements of the second set of located outside of saidrecesses.

The keypad is preferably installed behind an element which has aperturesthrough which the buttons project and projections that bare against themembrane at positions aligned with the conductive elements of saidsecond set.

The keypad may be included in an apparatus having means for passingcurrent through the second set of conductive elements and means fordetecting an interruption of current through the second set ofconductive elements to produce a tamper condition indicating signal.

The foregoing aspects of the present invention may be employed in a cardreader either individually or in combination. Preferably, all aspectsare used together.

An embodiment of the present invention will now be described, by way ofexample, with reference to the accompanying drawings, in which:

FIG. 1 is a front view of a card reader module according to the presentinvention;

FIG. 2 is an exploded view of the card reader shown in FIG. 1;

FIG. 3 is cross-section, somewhat exaggerated for clarity, of part ofthe PCB shown in FIG. 2;

FIGS. 4( a) to 4(b) show, somewhat exaggerated for clarity, the tamperdetection layers of the PCB shown in FIG. 3;

FIG. 5 is an exploded view of the cover shown in FIG. 2;

FIG. 6 shows a detail of the cover mounted to the front main member ofthe module shown in FIG. 1 without potting material;

FIG. 7 shows potting material holding the cover in place;

FIG. 8 shows the keypad membrane installed on the front main member ofthe module shown in FIG. 1;

FIG. 9 shows part of the front face of the first PCB in FIG. 2;

FIG. 10 shows the keypad membrane;

FIG. 11 is a cross-section of the module of FIG. 1 along the line AA;

FIGS. 12( a) and 12(b) are respectively front and top views of the chipcard contact module used in the card reader module shown in FIG. 1; and

FIG. 13 is a block diagram of the tamper detection circuitry of the cardreader of FIG. 1.

Referring to FIG. 1, a card reader 1 comprises a body 2. A window 4,revealing an LCD panel, is located in to top half of the body 2 and thekeys 5 of a keypad are distributed below the window 4. A card insertionslot 6 opens at the foot of the reader and chip cards can be insertedlengthways upwards into the slot 6 for reading.

Referring to FIG. 2, the body 2 comprises a front and back main members2 a, 2 b. The front and back main members 2 a, 2 d are coupled togetherby screws (not shown). The window 4 is incorporated into a bezel member2 c which is screwed to the front of the front main member 2 a throughPCB 8, thereby preventing removal of the window 4 when the module hasbeen assembled.

The back main member 2 d may be dispensed with and the front main member2 a fixed to another apparatus, which itself prevents access to theinternals of the card reader 1 from behind.

A keypad membrane 7, a PCB 8, a cover 9 (shown exploded) are sandwichedwith the keypad membrane 7 at the front and the cover 9 at the back. Thekeypad membrane 7 includes keys 5 which project through correspondingholes 33 in the front main member 2 a. The PCB 8 is attached to thefront main member 2 a by screws 11 so that the keypad member 7 islocated between the PCB 8 and the front main member 2 a. The cover 9 isassembled from multi-layer PCBs and its sidewalls 9 a, 9 b are receivedin channels 15 formed by walls projecting from the back of the frontmain member 2 a. The cover 9 completely covers the PCB 8 such that theonly access to the PCB 8 is through a card entry slot 9 c in a first endwall 9 d. Referring to FIGS. 3 and 4( a) to 4(d), the PCB 8 is amulti-layer PCB. The keypad side of the PCB 8 contains tracks 30 formingthe fixed contacts of the keys. Above the key contact tracks 30 are fourlayers containing serpentine tracks 18 a, 18 b, 18 c, 18 d. Theseserpentine conductive tracks 18 a, 18 b, 18 c, 18 d are offset withrespect to each other and arranged so that active signal paths 19 inother layers cannot be reached without breaking one of the serpentinetracks 18 a, 18 b, 18 c, 18 d and interrupting a monitoring currentflowing therethrough. The loops of the serpentine tracks 18 a, 18 b, 18c, 18 d are packed as close as is practicable.

Referring to FIG. 5, the cover 9 comprises first and second side walls 9a, 9 b, first and second end walls 9 c, 9 d and a roof 9 f. Each of theside walls 9 a, 9 b, the end walls 9 d, 9 e and the roof 9 f is madefrom multi-layer PCB and contains mutually off-set and cross-crossingserpentine conductive tracks like those of the PCB 8 and shownexaggeratedly in FIGS. 4( a) to 4(d). The serpentine tracks areconfigured to make it impossible to drill through the cover withoutbreaking one of the paths. The loops of the serpentine tracks are packedas close as is practicable. A complete conductive sheet (not shown),forming a ground plane, is included on the outside of the serpentinepaths to prevent visual inspection of the tracking layers beneath, toact as a grounding contact if a metal drill is used to attack theserpentine tracks and also acts to reduce electromagnetic emissions fromthe assembly. Additionally, there is the possibility that a tool beingusing in an attempt to probe through the cover 9 will short a serpentinetrack 18 a, 18 b, 18 c, 18 d to the ground plane.

The ends of the side walls 9 a, 9 b and the first end wall 9 e havenotches. The notches enable the first end wall 9 e to be connected tothe side walls 9 a, 9 b by halving joints. The second end wall 9 d hasshort tabs at either end which are received in the remaining notches inthe first and second side walls 9 a, 9 b.

The roof 9 f is rectangular and has a shallow notch in one end. Thisnotch receives a short tongue, that projects from the top of the firstend wall 9 d, to locate the roof 9 f.

The elements 9 a, 9 b, 9 d, 9 e, 9 f of the cover 9 are held together bysolder joints which also serve to interconnect the serpentine conductivepaths in the different elements 9 a, 9 b, 9 d, 9 e, 9 f.

The serpentine tracks in the cover are connected to the PCB 8 via aconnector, comprising a part 10 located centrally on the PCB 8 whichmates with another part (not shown) located centrally on the undersideof the roof 9 f. Electrical connection is only made by the connectorwhen the male part is fully inserted into the female part. This preventsremoval of the cover 9 from PCB 8 without breaking the tamper detectioncircuit. The connector is completely enclosed by the cover 9 A slot 9 cjust large enough to allow a credit card to pass lengthwise is providedin the second end wall 9 d. The second end wall 9 d includes embeddedconductors up to the edge of the slot 9 c such that the slot 9 c cannotbe enlarged without breaking a conductor.

The side walls 9 a, 9 b and the second end wall 9 d each have a line ofsmall through holes 20 in their lower margins, i.e. the parts receivedin the channels 15 formed on the back of the front main member 2 a.

Referring to FIG. 6, when the cover 9 has been located over the PCB 8,its side walls 9 a, 9 b and the second end wall 9 d are received in thechannels 15 such that the through holes 20 are within the channels 15.

Referring to FIG. 7, the cover 9 is secured in position by an epoxypotting material 21. The potting material 21 extends into the throughholes 20 locking the cover 9 in position.

Referring to FIG. 8, the inner walls 16 of the channels 15 projectupward beyond the installed keypad membrane 7 to form a barrierpreventing probes being inserted sideways under the keypad membrane 7.

Referring to FIG. 9, the front face of the first PCB is provided with aconductor pattern comprising first and second sets of pairs ofinterdigitated contacts 30, 31.

Referring to FIG. 10, the key pad membrane 7 is moulded from anelastomeric material. A recess 32 is formed under each key 5 and carbonpills 34 are mounted in the recesses 32. Additional carbon pills 35 aredistributed in non-recessed parts of the keypad membrane 7.

When the PCB 8 is installed behind the keypad membrane 7, the carbonpills 34 in the recesses 32 are aligned with the contact pairs 30 of thefirst set and are shorted only when keys 5 are pressed to produce userinput signals. The other carbon pills 35 are aligned with the contactpairs 31 of the second set. The contact pairs of the second set areshorted by default. Thus, the circuitry on the PCB 8 can detect attemptsto probe behind the membrane by detecting an interruption in a currentflowing through the contact pairs 31 of the second set.

Referring to FIG. 11, the front main member 2 a has a plurality ofpillars 37 that project backwards between the holes. These pillars 37are received by blind holes 38 in the keypad membrane 7 to press ittowards the PCB 8. The blind holes 38 are aligned with the carbon pills35, associated with the contact pairs 31 of the second set, and ensurethat these contacts remain shorted during normal use.

Referring to FIGS. 12( a) and 12(b), a chip card contact module 40 ismounted on the PCB 8. The module 40 has a slot 41 that can receive acard inserted through the second slot 6 and slot 9 c. A set of contacts42 is arranged to make contact with the contacts of a properly insertedcard. The contacts 42 are arranged in two tows 42 a, 42 b of four. Therear row 42 a, i.e. the row furthest from the second slot 6, comprisesthe ends of four conductors 43, 44, 45, 46 that extend straight backaway from the second slot 6. The front row 42 b comprises the ends offour conductors 47, 48, 48, 50 which also extend back away from thesecond slot 6. However, these conductors 47, 48, 48, 50 jink sideways sothat two extend straight back on each side of the conductors 43, 44, 45,46 from the first row 42 a of contacts.

Referring to FIG. 13, the card reader has three distinct tamperdetection system. These comprise the serpentine tracks 18 a, 18 b, 18 c,18 d and associated circuitry, the additional carbon pills 35 andassociated circuitry, and a temperature sensor 51 located within thecover 9, and associated circuitry.

A small battery 52, located within the cover 9, provides a permanentsupply of power for the tamper detection circuitry.

The serpentine tracks 18 a, 18 b, 18 c, 18 d are connected in seriesbetween first and second resistors 53, 56. The first resistor 53 isconnected to the positive terminal of the battery 52. The secondresistor 56 is connected to ground. The node formed by the firstresistor 53 and the serpentine tracks 18 a, 18 b, 18 c, 18 d is alsoconnected to a first input of a window comparator 54. A second input ofthe window comparator 54 is provided with a first reference voltageVref1 a, which is derived from the voltage across the battery 52, and athird input of the window comparator 54 is provided with a secondreference voltage Vref1 b, which is derived from the voltage across thebattery 52.

Under normal conditions, the first input of the window comparator 54 isbetween the first and second reference voltages Vref1 a, Vref1 b and theoutput of the first comparator 54 is low. However, if one of theserpentine tracks 18 a, 18 b, 18 c, 18 d is broken, the voltage on thefirst input of the window comparator 54 rises past the first referencevoltage Vref1 a, causing the output of the window comparator 54 to gohigh. Similarly, if one of the serpentine tracks 18 a, 18 b, 18 c, 18 dis grounded, the voltage on the first input of the window comparator 54falls past the second reference voltage Vref1 b, causing the output ofthe window comparator 54 to go high.

A first latch 55 latches the high state of the output of the windowcomparator 54 so that even fleeting disturbances of the current throughthe serpentine tracks 18 a, 18 b, 18 c, 18 d can be responded toreliably.

The carbon pills 35 and associated contact pairs 31 are connected inseries between a pull-up resistor 57. The node formed by the pull-upresistor 57 and current path through the carbon pills 35 and associatedcontact pairs is also connected to a first input of a first comparator58 A second input of the first comparator 58 is provided with a thirdreference voltage Vref2, which is derived from the voltage across thebattery 52.

Under normal conditions, the first input of the first comparator 58 islow and the output of the first comparator 58 is also low. However, ifthe keypad membrane 7 is lifted, separating a carbon pill 35 from theassociated contacts 31, the voltage at the first input of the firstcomparator 58 rises past the third reference voltage Vref2 and theoutput of the second comparator 58 then goes high. A second latch 59latches the high state of the output of the first comparator 58 so thateven a fleeting lifting of part of the keypad membrane 7 can be reliableresponded to.

The output of the temperature sensor 51 is connected to a first input ofa second comparator 62. The other input of the second comparator 62 isprovided with a fourth reference voltage Vref3, which is derived fromthe voltage across the battery 52.

Under normal conditions, the output of the second comparator 62 is low.However, if the temperature, sensed by the temperature sensor 51 fallsbelow −25°, which indicates cooling being used to slow the response ofother tamper detection systems, the output of the second comparator 68goes high and is latched by a third latch 63.

The outputs of the latches 55, 59, 63 are supplied to concentratingcircuit 65, e.g. an AND-gate, which produces an erase signal when theoutputs of any one or more of the latches 55, 59, 63 is high.

The erase signal is fed to an erase circuit 67 which is responsible forzeroisation of the security module's memory 69. In response to the erasesignal, the erase circuit 67 write zero to every location in the memory69 and then opens a first switch 71 to remove power from the memory 69.Finally, a second switch 72 is closed to remove any residual charge fromthe memory 69.

It will be appreciated that the security features described above may beused in other combination both with each other and with other securityfeatures not described herein.

1-31. (canceled)
 32. A chip card contact module comprising: a chamberfor receiving a chip card, the chip card having a contact pad forproviding access to data stored on the chip card; a card input slot foraccessing the chamber; and a set of contacts within the chamber forcontacting the contact pad of a chip card inserted in the chamber; thechip card contact module further comprising a plurality of conductors,each conductor leading away from a respective contact within the chamberto enable connection of the contacts to circuitry for processing dataaccessed from a chip card, wherein none of said conductors leads from acontact towards the card input slot.
 33. A chip card contact moduleaccording to claim 32, wherein the contacts are arranged in two rowscomprising a front row and a back row, the front row being nearer thecard input slot than the back row.
 34. A chip card contact moduleaccording to claim 33, wherein the conductors from the back row leaddirectly away from the card input slot and the conductors from the frontrow diverge and then lead directly away from the card input slot.
 35. Achip card contact module according to claim 32, wherein the conductorsextend to the exterior of the card contact module, the exterior portionsof the conductors being located at the opposite side of the card contactmodule to the card input slot.
 36. An apparatus including a chip cardcontact module according to claim 32, the apparatus comprising ananti-tamper enclosure including an aperture aligned with the card inputslot of the chip card contact module, the aperture being configured toallow insertion of an electronic card and the anti-tamper enclosurefurther including at least one embedded tamper detection conductor pathfor detection of widening of the aperture.
 37. An apparatus according toclaim 36, wherein the anti-tamper enclosure is provided as a rigidstructure.
 38. An apparatus according to claim 36, wherein the apertureis configured for endways insertion of an electronic card.
 39. Anapparatus according to claim 36, wherein the conductive path or pathsextend across the whole of the enclosure such that cutting through theenclosure without breaking or grounding an embedded conductive path issubstantially impracticable.
 40. An apparatus according to claim 36,wherein the conductive path or paths are arranged in a plurality oflayers such that conductors in different layers are offset relative toeach other.
 41. An apparatus according to claim 36, where the enclosureis assembled from a plurality of printed circuit boards.
 42. Anapparatus according to claim 41, wherein a plurality of said printedcircuit boards are electrically connected.
 43. An apparatus according toclaim 41, wherein a plurality of said printed circuit boards areconnected by an interlocking mechanical joint.
 44. An apparatusaccording to claim 36, wherein the chip card contact module serves as ananti-probing barrier behind the aperture preventing access to anelectronic circuit.
 45. An apparatus according to claim 44, wherein theelectronic circuit comprises means for feeding current through eachconductive path and detecting disturbances thereof.
 46. An apparatusaccording to claim 44, wherein the electronic circuit comprises amulti-layer printed circuit board having a first face on whichcomponents are mounted and a second face on which no components aremounted.
 47. An apparatus according to claim 46, wherein the conductorscarrying signals between said components are separated from the secondface by a tamper detection conductive path.
 48. An apparatus accordingto claim 36, wherein the apparatus comprises a card reader.
 49. Anapparatus according to claim 36, wherein the aperture comprises a slot.50. A chip card reader comprising a chip card contact module accordingto claim 32.